Info watchdog reveals 139 data breaches since POPIA
As more South African organisations are targeted by cyber criminals, the Information Regulator says it’s receiving more data breach notifications since the country’s data privacy legislation − the Protection of Personal Information Act (POPIA) − came into force on 1 July.
In an interview with ITWeb, Nomzamo Zondi, spokesperson of the Information Regulator, revealed that a total of 139 South African organisations have reported they have suffered a data breach since POPIA was enforced.
The regulator has indicated that amid these heightened data compromises, it is taking credit bureau Experian to task over a breach that exposed personal information of up to 24 million South Africans.
The Information Regulator is, among other duties, empowered to monitor and enforce compliance by public and private bodies with the provisions of South Africa’s data privacy law, POPIA.
The Act sets down firm frameworks that companies have to abide by to avoid fines, criminal persecution and potential reputation loss.
Breaching the rules and regulations outlined by this Act can have serious financial implications for the business, which can cost more than money and have long-lasting consequences.
The Act makes provision for fines of up to R10 million and a jail sentence of up to 10 years, depending on the seriousness of the breach.
According to Zondi, COVID-19 has led to increased online activities, subsequently increasing cyber attacks, which lead to the breaches.
“The prevalence is also contributed to by organisations having aging ICT infrastructure; lack of knowledge in data privacy and cyber security; lack of digital skills; and not having a digital security posture because of the failure to adopt information management security systems and practices,” she says.
“Practising cyber hygiene is critical and all organisations need to adopt robustly. The Cyber Crimes Act recently came into effect and thus the delay hindered some of the actions that have been taken in so far as cyber security is related.”
On 1 December, several elements of South Africa’s new Cyber Crimes Act came into effect − six months after president Cyril Ramaphosa first signed the Bill into law.
According to Matthew Campbell, head of SME and fibre-to-the-home at Seacom, the Act is a major step forward in regulating online spaces.
“It gives law enforcement the teeth to go after criminals and helps victims of digital misconduct protect themselves and seek justice, which is good news as cyber crime is on the rise,” Campbell says.
Zondi explains that the Cyber Crimes Act outlines the conditions of POPIA which must be applied in the context of cyber crime.
“The Cyber Crimes Act proclamation has offered an opportunity for cyber threats to be dealt with and apply prosecutions.”
The latest IBM Security Cost of a Data Breach Report indicates the global average cost of a data breach has risen to $4.24 million in 2021, a 10% increase overall and the largest percentage increase in the 17-year history of the report.
The report notes that in South Africa, the average cost was $3.21 million – the highest in the southern hemisphere.
There are a number of South African organisations that recently fell prey to data breaches as well as data leaks.
Last week, big-four bank Standard Bank and property firm Lightstone confirmed they suffered a data breach that exposed the personal information of property owners.
The organisations have already informed the information watchdog about the breach, saying information of some property owners in South Africa was accessed without permission through the LookSee online platform.
In September, South African banks acknowledged some of their customers’ data was compromised by the cyber attack on debt recovery solutions provider Debt-IN Consultants.
First National Bank, Absa, Standard Bank and African Bank are some of the financial institutions that make use of Debt-IN’s services.
Other organisations which have also been hit by cyber attacks include Transnet, the South African National Space Agency, and the Department of Justice and Constitutional Development.
Credit bureau Experian made headlines in August 2020, after it experienced a data breach that exposed the personal information of as many as 24 million South Africans and 793 749 business entities to a suspected fraudster.
ITWeb reported in October that the Information Regulator expressed shock that Experian customer data had been leaked on Telegram, in what appeared to be a continuation of the data breach the credit bureau experienced last year.
Now, the Information Regulator is taking a tougher stance on repeat offender, Experian, says Zondi.
“With the recent (October 2021) issues resurfacing which had further repercussions from the Experian breach which occurred in 2020, the regulator has since had an executive meeting with Experian to engage on the security compromise, where the regulator requested a concrete forensic report which will deal with the matter and protect data subjects from further implications to their personal information.
“They have been placed on bi-monthly monitoring and they report what they are doing to deal with the issues and what measures they have put in place to ensure this does not happen again,” she concludes.